[Security] Fix COOP behavior in insecure contexts.

COOP should be disregarded in insecure contexts. This was not done properly and only avoided storing the COOP value in the RenderFrameHost after using it to potentially do a BrowsingInstance swap. This patch fixes the issue by completely stripping the response of its COOP value in such cases. Also fixes CrossOriginOpenerPolicyBrowserTest to use an HTTPS server and add a test that verifies it does not work over HTTP. Bug: 922191 Change-Id: I4eb31afe33bbee0da672d8179879ca8242668258 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2087917Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#747285}

[Security] Fix COOP behavior in insecure contexts.
COOP should be disregarded in insecure contexts. This was not done properly and only avoided storing the COOP value in the RenderFrameHost after using it to potentially do a BrowsingInstance swap. This patch fixes the issue by completely stripping the response of its COOP value in such cases. Also fixes CrossOriginOpenerPolicyBrowserTest to use an HTTPS server and add a test that verifies it does not work over HTTP. Bug: 922191 Change-Id: I4eb31afe33bbee0da672d8179879ca8242668258 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2087917Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#747285}
1b99e9ec · Arthur Hemery · Commit Bot · 423ffceb · 1b99e9ec · 1b99e9ec
Commit 1b99e9ec authored Mar 05, 2020 by Arthur Hemery Committed by Commit Bot Mar 05, 2020
2 changed files
--- a/content/browser/cross_origin_opener_policy_browsertest.cc
+++ b/content/browser/cross_origin_opener_policy_browsertest.cc
@@ -3,6 +3,7 @@
 // found in the LICENSE file.

 #include "base/test/scoped_feature_list.h"
+#include "components/network_session_configurator/common/network_switches.h"
 #include "content/browser/frame_host/navigation_request.h"
 #include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
@@ -17,16 +18,26 @@ namespace content {

 class CrossOriginOpenerPolicyBrowserTest : public ContentBrowserTest {
 public:
-  CrossOriginOpenerPolicyBrowserTest() {
+  CrossOriginOpenerPolicyBrowserTest()
+      : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
    std::vector<base::Feature> features;
    feature_list_.InitWithFeatures({network::features::kCrossOriginIsolation},
                                   {});
+    base::CommandLine::ForCurrentProcess()->AppendSwitch(
+        switches::kIgnoreCertificateErrors);
  }

+  net::EmbeddedTestServer* https_server() { return &https_server_; }
+
 protected:
  void SetUpOnMainThread() override {
    host_resolver()->AddRule("*", "127.0.0.1");
    ASSERT_TRUE(embedded_test_server()->Start());
+
+    https_server()->ServeFilesFromSourceDirectory(GetTestDataFilePath());
+    SetupCrossSiteRedirector(https_server());
+    https_server()->SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+    ASSERT_TRUE(https_server()->Start());
  }

  WebContentsImpl* web_contents() const {
@@ -38,12 +49,13 @@ class CrossOriginOpenerPolicyBrowserTest : public ContentBrowserTest {
  }

  base::test::ScopedFeatureList feature_list_;
+  net::EmbeddedTestServer https_server_;
 };

 IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
                       NewPopupCOOP_InheritsSameOrigin) {
-  GURL starting_page(embedded_test_server()->GetURL(
-      "a.com", "/cross_site_iframe_factory.html?a(a)"));
+  GURL starting_page(
+      https_server()->GetURL("a.com", "/cross_site_iframe_factory.html?a(a)"));
  EXPECT_TRUE(NavigateToURL(shell(), starting_page));

  RenderFrameHostImpl* main_frame = current_frame_host();
@@ -68,8 +80,8 @@ IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,

 IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
                       NewPopupCOOP_InheritsSameOriginAllowPopups) {
-  GURL starting_page(embedded_test_server()->GetURL(
-      "a.com", "/cross_site_iframe_factory.html?a(a)"));
+  GURL starting_page(
+      https_server()->GetURL("a.com", "/cross_site_iframe_factory.html?a(a)"));
  EXPECT_TRUE(NavigateToURL(shell(), starting_page));

  RenderFrameHostImpl* main_frame = current_frame_host();
@@ -94,8 +106,8 @@ IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,

 IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
                       NewPopupCOOP_CrossOriginDoesNotInherit) {
-  GURL starting_page(embedded_test_server()->GetURL(
-      "a.com", "/cross_site_iframe_factory.html?a(b)"));
+  GURL starting_page(
+      https_server()->GetURL("a.com", "/cross_site_iframe_factory.html?a(b)"));
  EXPECT_TRUE(NavigateToURL(shell(), starting_page));

  RenderFrameHostImpl* main_frame = current_frame_host();
@@ -121,8 +133,8 @@ IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
 IN_PROC_BROWSER_TEST_F(
    CrossOriginOpenerPolicyBrowserTest,
    NewPopupCOOP_SameOriginPolicyAndCrossOriginIframeSetsNoopener) {
-  GURL starting_page(embedded_test_server()->GetURL(
-      "a.com", "/cross_site_iframe_factory.html?a(b)"));
+  GURL starting_page(
+      https_server()->GetURL("a.com", "/cross_site_iframe_factory.html?a(b)"));
  EXPECT_TRUE(NavigateToURL(shell(), starting_page));

  RenderFrameHostImpl* main_frame = current_frame_host();
@@ -164,7 +176,7 @@ IN_PROC_BROWSER_TEST_F(

 IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
                       NetworkErrorOnSandboxedPopups) {
-  GURL starting_page(embedded_test_server()->GetURL(
+  GURL starting_page(https_server()->GetURL(
      "a.com", "/cross-origin-opener-policy_sandbox_popup.html"));
  EXPECT_TRUE(NavigateToURL(shell(), starting_page));

@@ -186,14 +198,14 @@ IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,

 IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
                       NoNetworkErrorOnSandboxedDocuments) {
-  GURL starting_page(embedded_test_server()->GetURL(
+  GURL starting_page(https_server()->GetURL(
      "a.com", "/cross-origin-opener-policy_csp_sandboxed.html"));
  EXPECT_TRUE(NavigateToURL(shell(), starting_page));
  EXPECT_NE(current_frame_host()->active_sandbox_flags(),
            blink::mojom::WebSandboxFlags::kNone)
      << "Document should be sandboxed.";

-  GURL next_page(embedded_test_server()->GetURL(
+  GURL next_page(https_server()->GetURL(
      "a.com", "/cross-origin-opener-policy_same-origin.html"));

  EXPECT_TRUE(NavigateToURL(shell(), next_page));
@@ -241,9 +253,9 @@ class CrossOriginPolicyHeadersObserver : public WebContentsObserver {

 IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
                       RedirectsParseCoopAndCoepHeaders) {
-  GURL redirect_initial_page(embedded_test_server()->GetURL(
+  GURL redirect_initial_page(https_server()->GetURL(
      "a.com", "/cross-origin-opener-policy_redirect_initial.html"));
-  GURL redirect_final_page(embedded_test_server()->GetURL(
+  GURL redirect_final_page(https_server()->GetURL(
      "a.com", "/cross-origin-opener-policy_redirect_final.html"));

  CrossOriginPolicyHeadersObserver obs(
@@ -255,4 +267,19 @@ IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
      NavigateToURL(shell(), redirect_initial_page, redirect_final_page));
 }

+IN_PROC_BROWSER_TEST_F(CrossOriginOpenerPolicyBrowserTest,
+                       CoopIsIgnoredOverHttp) {
+  GURL non_coop_page(embedded_test_server()->GetURL("a.com", "/title1.html"));
+  GURL coop_page(embedded_test_server()->GetURL(
+      "a.com", "/cross-origin-opener-policy_same-origin.html"));
+
+  scoped_refptr<SiteInstance> initial_site_instance(
+      current_frame_host()->GetSiteInstance());
+
+  EXPECT_TRUE(NavigateToURL(shell(), coop_page));
+  EXPECT_EQ(current_frame_host()->GetSiteInstance(), initial_site_instance);
+  EXPECT_EQ(current_frame_host()->cross_origin_opener_policy(),
+            network::mojom::CrossOriginOpenerPolicy::kUnsafeNone);
+}
+
 }  // namespace content
--- a/content/browser/frame_host/navigation_request.cc
+++ b/content/browser/frame_host/navigation_request.cc
@@ -1844,6 +1844,13 @@ void NavigationRequest::OnResponseStarted(
      }
    }

+    // The Cross-Origin-Opener-Policy header should be ignored if delivered in
+    // insecure contexts.
+    if (!IsOriginSecure(common_params_->url)) {
+      response_head_->cross_origin_opener_policy =
+          network::mojom::CrossOriginOpenerPolicy::kUnsafeNone;
+    }
+
    // Popups with a sandboxing flag, inherited from their opener, are not
    // allowed to navigate to a document with a Cross-Origin-Opener-Policy that
    // is not "unsafe-none". This ensures a COOP document does not inherit any
@@ -1902,10 +1909,8 @@ void NavigationRequest::OnResponseStarted(
  if (render_frame_host_) {
    render_frame_host_->set_cross_origin_embedder_policy(
        cross_origin_embedder_policy);
-    if (IsOriginSecure(common_params_->url)) {
-      render_frame_host_->set_cross_origin_opener_policy(
-          response_head_->cross_origin_opener_policy);
-    }
+    render_frame_host_->set_cross_origin_opener_policy(
+        response_head_->cross_origin_opener_policy);
  }
  client_security_state_->cross_origin_embedder_policy =
      cross_origin_embedder_policy;